Last modified 5 years ago Last modified on 01.04.2013 23:45:48

flowmon

Description

Network flow monitor. Displays traffic summaries for streams, which are defined by BPF filters.

You can think of this being similar iftop, at least with curses interface.

Architecture

flowmon in its simplest form spawns one additional process (worker) per each defined stream. Each second workers send counters (packets and bytes) regarding their streams to parent process. Parent process prints these counters to STDOUT as series of single-lined JSON documents with following keys guaranteed:

  • stream_id -- integer, zero-based ordinal number of the filter (not guaranteed to stay the same between different runs)
  • stream_name -- string, name of stream, specified by operator
  • time -- integer (UNIX timestamp), time at which the counters were collected
  • bytes -- integer, number of bytes captured since previous entry
  • packets -- integer, number of packets captured since previous entry

Useful as such, this output may be piped to some other interface, like curses-based. Two examples (curses UI and RRD writer) are provided for reference.

How to download

git clone http://dozzie.jarowit.net/code/flowmon.git

How to build

For now, simple make should be enough. You'll need libpcapX-dev (Debian) or libpcap-devel packages installed along with GCC and make.

How to use

Simplest way is to just let flowmon print JSON:

# flowmon -f 'host example.net'
{"stream_id":0,"stream_name":"host example.net","time":1364851368,"now":1364851368,"bytes":68,"packets":1}

More fancy way is to use fmcurses.py script, which is Python implementation of what was previously flowmon's only UI

# flowmon -f 'host example.net' | fmcurses.py

The most interesting part is to use flowmon as a source for some monitoring system. A simple script fmrrd.py is provided as an example how to store flowmon's output in RRD databases. Usage is similar to fmcurses.py:

# flowmon -f 'host example.net' | fmrrd.py file.rrd

flowmon may also be used to submit data to Fluentd, which in turn may pass it further to Nagios, collectd or something else.